Index: /trunk/src/wp-admin/includes/admin-filters.php
===================================================================
--- /trunk/src/wp-admin/includes/admin-filters.php	(revision 41740)
+++ /trunk/src/wp-admin/includes/admin-filters.php	(revision 41741)
@@ -39,4 +39,6 @@
 
 // Misc hooks.
+add_action( 'admin_init', 'wp_admin_headers'         );
+add_action( 'login_init', 'wp_admin_headers'         );
 add_action( 'admin_head', 'wp_admin_canonical_url'   );
 add_action( 'admin_head', 'wp_color_scheme_settings' );
Index: /trunk/src/wp-admin/includes/misc.php
===================================================================
--- /trunk/src/wp-admin/includes/misc.php	(revision 41740)
+++ /trunk/src/wp-admin/includes/misc.php	(revision 41741)
@@ -921,4 +921,25 @@
 
 /**
+ * Send a referrer policy header so referrers are not sent externally from administration screens.
+ *
+ * @since 4.9.0
+ */
+function wp_admin_headers() {
+	$policy = 'same-origin';
+
+	/**
+	 * Filters the admin referrer policy header value. Default 'same-origin'.
+	 *
+	 * @since 4.9.0
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+	 *
+	 * @param string $policy The referrer policy header value.
+	 */
+	$policy = apply_filters( 'admin_referrer_policy', $policy );
+
+	header( sprintf( 'Referrer-Policy: %s', $policy ) );
+}
+
+/**
  * Outputs JS that reloads the page if the user navigated to it with the Back or Forward button.
  *